In addition, nearly 80% of respondents say they have terminated or would decline a business relationship due to a vendor’s cybersecurity performance. One in 10 organisations has created a job role specifically dedicated to vendor, third-party or supplier risk.

Moreover, only 44% of respondents are reporting on this risk to their executives and boards on a regular basis. This lack of regular reporting could be the reason why nearly one in five respondents think boards and executives are not confident or do not understand their approaches to third-party risk management (TPRM).

Respondents report that they still rely on tools like annual on-site assessments, questionnaires and facility tours to assess third-party security posture, giving them limited visibility into their third-party cyber risk. Meanwhile, only one quarter (22%) of organisations are currently using a security ratings service to continuously monitor the cybersecurity performance of third parties, though almost one third (30%) say they are currently evaluating security ratings providers.